ninjamiefandomcom-20200214-history
Diffie-Hellman
Diffie-Hellman (DH) is a'' mathmetical algorithm that allows two computers to generate an identical shared secret on both systems, even though those systems may never have communicated with each other before.'' *That shared secret can then be used to securely exchange a cryptographic encryption key. That key then encrypts traffic between the two systems. Whitfield Diffie and Martin Hellman in 1976. First system to utilize "public-key" or "asymmetric" cryptographic keys, overcoming "private-key" or "symmetric" key systems. *'Symmetic' key system = both sides of the communication must have identical private keys. Securely exchanging those keys was an enormous issue. Symmetic key system is faster than Asymmetric. *'Asymmetic' key system = Uses two keys. One Private key that user keeps a secret and one Public key that can be shared. Today, it's typical to use Symmetric system to encrypt the data and an Asymmetic system to encrypt the symmetric keys for distribution. 'Where DH is used:' *DH is commonly used when encrypting data on the Web using SSL or TLS. (secure socket layer OR transport layer security) *SSH utilizes DH *DH is part of the key exchange mechanism for IPSec: **'ISAKMP (Internet security Association and Key Management Protocol) is the overall IPSec key management framework. Within that frame work is IKE (Internet Key Exchange). IKE relies on OAKLEY and OAKLEY uses Diffie-Hellman.' 'Process' Diffie-Hellman is not an encryption mechanism, it is a method to securely exchange the keys that encrypt data. *Shared Secret (KEK - Key Encryption Key) = Diffie-Hellman securely exchanges the key by creating a shared secret between two devices. The shared secret then encrypts the symmetic key for secure transmittal. The symmetric key is called a Traffic Encryption Key (TEK) or Data Encryption Key (DEK). **KEK provides a secure delivery of the TEK, while the TEK provides a secure delivery of the data. '1. KEY EXCHANGE:' #The Process beings when each side of the communication generates a PRIVATE key. #Each side then generates a PUBLIC key, which is a derivative of the private key. ##The public key and private key are mathematically linked. #The two systems then exchange their PUBLIC keys. #Each side of the communication now has their own private key and the other systems public key. '2. SHARED SECRETS:' Identical cryptographic key shared by each side of the communication. #By running the mathematically operation against your own PRIVATE key and the other side's PUBLIC key, you generate a value. #The other end run's the same operation against your public key and their own private key that also generates a value. #These two values are identical and are the Share Secret ''that can encrypt information between systems. #*Share secret = a cryptographic key that could encrypt traffic. The shared secret by its mathematical nature an Asymmetic Key. IF the two sides are passing very little traffic, the shared secret may encrypt actual data. Bulk traffic encryption requires a symmetic key system such as DES, Triple DES, or (AES) Advanced Encryption Standard, etc. In real applications of Diffie-Hellman protocols (SSL, TLS, SSH, and IPSec) = the shared secret encrypts a symmetric key for one of the symmetric algorithms, transmits it securely, and the distance end decrypts it with the shared secret. *Because the symmetric key is relatively short value (ex 256 bit) as compared to bulk data, the shared secret can encrypt and decrypt it very quickly. '3. DATA ENCRYPTION TRANSMISISON: Once secure exchange of the symmetric key is complete (passing that key is the whole point of the Diffie-Hellman operation), data encryption and secure communication can occur. Data encryption and decryption on each end of communication are by the symmetric key. Changing the symmetic key frequently is important. *Both sides still have the shared secret and it can be used to encrypt future keys at any time. '''Diffie-Hellman Groups: DH groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key. These groups use a modular exponentiation: *DH group 1 = 768-bit modulus. *DH group 2 = 1024-bit modulus *DH group 5 = 1536-bit modulus *DH group 14 = 2048-bit modulus. If using encryption or authentication methods with a 128-bit key, use DH group 5 or 14. Groups 1,2,5 cannot be used in stack configurations for FIPS 140 mode. Both peers in a VPN exchange must use the same DH group, which is negotiated during PHASE 1 of the IPSec negotication process. (phase 1 = where the two peers make s secure, authenticated channel to communicate). 'DH groups and Perfect Forward Secrecy (PFS):' you can also specify the DH Group in PHASE 2 of the IPSec connection. You specify the Diffie-Hellman Group in Phase 2 only when you select PFS (perfect forward secrecy). *Phase 2 configuration includes settings for a security association (SA), or how data packets are secured when they are passed between two endpoints. PFS makes keys more secure because new keys are not made from previous keys. If a key is compromised, new session keys are still secure. When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated. *The DH group you choose for Phase 2 does not need to match the group you choose for Phase 1.